Tuesday, September 14, 2021

Add Virtual Machine Scale Set (VMSS) Managed Identity to Azure Key Vault Access Policy- Powershell

 The below Powershell script will help you to add VMSS managed identity to Azure Key vault access policy.

#First, Get the identity Object ID and application Id based on the managed identity name

$identity = Get-AzUserAssignedIdentity -ResourceGroupName "RGName" -Name "sample-vmssid"

# $identity.ClienId is the Application ID and $identity.PrincipalID is the Object ID. You can run the below command by passing parameters and permissions required to be set to the Key vault

Set-AzKeyVaultAccessPolicy -ResourceGroupName "RGName" -VaultName "VaultName-kvt" -ObjectId $identity.PrincipalId -ApplicationId $identity.ClientId -PermissionsToKeys get,list,unwrapKey,wrapKey -PermissionsToSecrets get -PermissionsToCertificates get,list,delete,create

#Thats it and you can see the vmss managed identity in the access policy for key vault.

#You can do the above using Azure CLI as well like below

spObjectID=$(az resource list -n vmss_name --query [*].identity.principalId --out tsv)

az keyvault set-policy -n vaultname-kvt --key-permissions get list wrapKey unwrapKey --secret-permissions backup restore --certificate-permissions get list delete create --object-id spObjectID

**Always share your knowledge**

Sunday, September 12, 2021

Set the compilation debug flag in IIS web.config

 One of the first things I check when troubleshooting ASP.NET applications is the debug flag in the web.config.

For this, I’ve written the following function that use the [xml] accelerator to cast the web.config file contents as an xmlDocument and use PowerShell’s dot notation to get the debug flag value, or use the .NET methods of the dom document to set the debug flag value:

function SetWebConfigDebugFlag {


        [Parameter(Mandatory=$true, ValueFromPipelineByPropertyName=$true)]



        [ValidateSet(‘True’, ‘False’)]

        $DebugFlag = $false


$mersite= Get-Website -Name $IISsitename

$appPath = $mersite.physicalPath + "\web.config"

$config = [xml](Get-Content -Path $appPath)

 try {

if (($config.SelectSingleNode(‘configuration/system.web/compilation’)) -eq $null) {

$compilation = $config.CreateElement(‘compilation’)

$sw = $config.SelectSingleNode(‘configuration/system.web’)

[void] $sw.AppendChild($compilation)


if ($config.SelectSingleNode(‘configuration/system.web/compilation/debug’) -eq $null) {

$compilation = $config.SelectSingleNode(‘configuration/system.web/compilation’)

$compilation.SetAttribute(‘debug’, ($DebugFlag.ToString()).ToLower())

} else {

$config.configuration.‘system.web’.compilation.debug = $DebugFlag



if($?) {

$Result = ‘Success’

$ThisDebugFlag = $DebugFlag

} else {

$Result = ‘Error saving the config file’

$ThisDebugFlag = ""



catch {

$Result = $appPath.Exception.Message

if ($Result -eq ‘You cannot call a method on a null-valued expression.’) {

$Result = "Configuration does not contain a ‘system.web’ section"

$ThisDebugFlag = ""



New-Object -TypeName PSObject -Property @{‘Path’=$appPath; ‘DebugFlag’=$ThisDebugFlag; ‘Result’=$Result }


#Calling the above function by passing iissitename and Debugflag params.

SetWebConfigDebugFlag -IISsitename "iissitename" -DebugFlag 'True'

Wednesday, September 8, 2021

Azure Sentinel- Most common Use cases deployment

 Ready to go . Just import them, configure any additional permissions needed. Take advantage of Azure Sentinel right now.

Disable Users from OnPrem Active Directory:


Block Azure AD Users:


Integrate Azure Sentinel alerts with Service Now:


Add Comments (Guidelines) on Incidents:


Confirm Risks for Azure Active Directory Users:


Collect Threat Vulnerability Management report from compromised Machine:


Send all details (Machine Vulnerabilities, Missing KBs, Security Recommendations, Alerts, Software Inventory) from a compromised Machine and send it via Teams:


Send scheduled report focused on Cost Management:


Start Packet Capture from a compromised Machine:


Send scheduled report focused on Connector Heath:


Restrict App Execution in a compromised Machine:


Monday, September 6, 2021

Backup objects into another vault in another subscription

 How to: Backup objects into another vault in another subscription

In this section, I'm getting the secret values and saving them into another vault directly. We want to do this without touching any disk files.

With this approach, we're simply fetching all secrets from Vault1 in Subscription1, and saving them to Vault2 in Subscription2. However, remember that the secrets we fetch now are not encrypted to your subscription, hence it's not a good idea to persist them in memory, sessions or disk. Here I'm not saving it to any variables.

Make sure you have installed Azure CLI for windows in order to run the below script.


    [parameter(mandatory)] [string] $sourceVaultName,

    [parameter(mandatory)] [string] $sourceSubscriptionId,

    [parameter(mandatory)] [string] $destinationVaultName,

    [parameter(mandatory)] [string] $destinationSubscriptionId,

    [string] $destinationSecretsDisable = $true


# 1. Set the source subscription id. 

Write-Host "Setting origin subscription to: $($sourceSubscriptionId)..."

az account set -s $sourceSubscriptionId

# 1.1 Get all secrets

Write-Host "Listing all origin secrets from vault: $($sourceVaultName)"

$originSecretKeys = az keyvault secret list --vault-name $sourceVaultName  -o json --query "[].name"  | ConvertFrom-Json

# 1.3 Loop the secrets, and push the value to the destination vault without instantiating new variables.

$originSecretKeys | ForEach-Object {

    $secretName = $_

    Write-Host " - Getting '$($secretName)' from origin, and setting in destination..."

    az keyvault secret set --name $secretName --vault-name $destinationVaultName -o none --value(az keyvault secret show --name $secretName --vault-name $sourceVaultName -o json --query "value")


Write-Host "Secrets restored."

You can call the above script as mentioned below

.\CopySecretsToAnotherVault.ps1 -originVault "vault1-name" -originSubscriptionId "SUBSCRIPTION GUID" -destinationVault "vault2-name" -destinationSubscriptionId "SUBSCRIPTION GUID"

Passing Keyvault certificates to Virtual Machine deployment using ARM template


Referencing certificate from keyvault in an ARM template

You need to make sure all parameters are passed

"virtualMachineProfile": {
          "osProfile": {
            "windowsConfiguration": {
            "secrets": [
                "sourceVault": {
                  "id""[resourceId(parameters('RG'), 'Microsoft.KeyVault/vaults', parameters('vaultName'))]"
                "vaultCertificates": [

Tuesday, August 24, 2021

Purging a soft deleted Azure APIM - API Management

 First you need to run the below script to get all soft deleted apims so that the details can be passed to the delete method which we will run after this. The output printed on powershell window is trimmed and hence I'm writing the response to an output file.

#GET Request- To list all soft deleted apims in a specific subscription

$token = Get-AzAccessToken

$request = @{

    Method = 'GET'

    Uri    = "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.ApiManagement/deletedservices?api-version=2020-06-01-preview"

    Headers = @{

        Authorization = "Bearer $($token.Token)"



Invoke-RestMethod @request  -OutFile c:\apimoutput.txt

#DELETE Request- This will purge the soft deleted apim 

$token = Get-AzAccessToken

$request = @{

    Method = 'DELETE'

    Uri    = "https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.ApiManagement/locations/{Location}/deletedservices/{APIMName}?api-version=2020-06-01-preview"

    Headers = @{

        Authorization = "Bearer $($token.Token)"



Invoke-RestMethod @request

Version an API in Azure API Management using Azure Resource Manager

When creating a new API in an Azure API Management Service using the portal, you can specify whether you would like the API to be versioned

To achieve this through ARM scripts you'll need to create an ApiVersionSet resource first:
    "name": "[concat(variables('ManagementServiceName'), '/', variables('VersionSetName'))]",
    "type": "Microsoft.ApiManagement/service/api-version-sets",
    "apiVersion": "2017-03-01",
    "properties": {
        "description": "Api Description",
        "displayName": "Api Name",
        "versioningScheme": "Segment"

Then update the apiVersionSetId property on the Microsoft.ApiManagement/service/apis resource:

        "type": "Microsoft.ApiManagement/service/apis",
        "name": "[concat(variables('ManagementServiceName'), '/', variables('ApiName'))]",
        "apiVersion": "2017-03-01",
        "dependsOn": [
            "[resourceId('Microsoft.ApiManagement/service/api-version-sets', variables('ManagementServiceName'), variables('VersionSetName'))]"
        "properties": {
            "displayName": "string",
            "apiRevision": "1",
            "description": "",
            "serviceUrl": "string",
            "path": "string",
            "protocols": [
            "isCurrent": true,
            "apiVersion": "v1",
            "apiVersionName": "v1",
            "apiVersionDescription": "string",
            "apiVersionSetId": "[concat('/api-version-sets', variables('VersionSetName'))]"